Cybersecurity scientists on Tuesday disclosed particulars about a large-severity flaw in the HP OMEN driver computer software that impacts hundreds of thousands of gaming computers around the globe, leaving them open up to an array of attacks.
Tracked as CVE-2021-3437 (CVSS score: 7.8), the vulnerabilities could enable menace actors to escalate privileges to kernel mode without having demanding administrator permissions, making it possible for them to disable stability goods, overwrite method components, and even corrupt the operating process.
Cybersecurity company SentinelOne, which found out and documented the shortcoming to HP on February 17, mentioned it observed no evidence of in-the-wild exploitation. The computer components firm has due to the fact released a security update to its customers to deal with these vulnerabilities.
The problems them selves are rooted in a component named OMEN Command Middle that arrives pre-set up on HP OMEN-branded laptops and desktops and can also be downloaded from the Microsoft Retailer. The program, in addition to monitoring the GPU, CPU, and RAM by using a vitals dashboard, is intended to support good-tune community website traffic and overclock the gaming Pc for faster laptop functionality.
“The dilemma is that HP OMEN Command Middle incorporates a driver that, when ostensibly created by HP, is truly a partial copy of yet another driver entire of acknowledged vulnerabilities,” SentinelOne scientists claimed in a report shared with The Hacker News.
“In the ideal situations, an attacker with obtain to an organization’s community may well also acquire accessibility to execute code on unpatched units and use these vulnerabilities to gain nearby elevation of privileges. Attackers can then leverage other strategies to pivot to the broader network, like lateral movement.”
The driver in query is HpPortIox64.sys, which derives its performance from OpenLibSys-created WinRing0.sys — a problematic driver that emerged as the resource of a local privilege escalation bug in EVGA Precision X1 program (CVE-2020-14979, CVSS score: 7.8) past 12 months.
“WinRing0 makes it possible for customers to browse and generate to arbitrary actual physical memory, read through and modify the product-distinct registers (MSRs), and read/produce to IO ports on the host,” scientists from SpecterOps observed in August 2020. “These attributes are meant by the driver’s builders. Even so, due to the fact a low-privileged person can make these requests, they present an possibility for area privilege escalation.”
The core issue stems from the reality that the driver accepts input/output control (IOCTL) calls without having implementing any variety of ACL enforcement, thus permitting undesirable actors unrestricted obtain to the aforementioned features, including abilities to overwrite a binary which is loaded by a privileged process and in the end operate code with elevated privileges.
“To cut down the attack surface area furnished by device motorists with uncovered IOCTLs handlers, developers should really enforce potent ACLs on gadget objects, confirm user input and not expose a generic interface to kernel method operations,” the scientists explained.
The conclusions mark the next time WinRing0.sys has occur beneath the lens for producing stability troubles in HP items.
In Oct 2019, SafeBreach Labs discovered a important vulnerability in HP Touchpoint Analytics software program (CVE-2019-6333), which arrives integrated with the driver, as a result probably enabling risk actors to leverage the element to go through arbitrary kernel memory and efficiently allowlist destructive payloads by way of a signature validation bypass.
Pursuing the disclosure, business firmware protection company Eclypsium — as section of its “Screwed Motorists” initiative to compile a repository of insecure drivers and drop gentle on how they can be abused by attackers to attain control more than Home windows-based devices — dubbed WinRing0.sys a “wormhole driver by style.”
The discovery is also the 3rd in a sequence of security vulnerabilities influencing program drivers that have been uncovered by SentinelOne considering that the begin of the 12 months.
Earlier this May possibly, the Mountain Perspective-based mostly organization exposed particulars about a number of privilege escalation vulnerabilities in Dell’s firmware update driver named “dbutil_2_3.sys” that went undisclosed for extra than 12 a long time. Then in July, it also manufactured general public a large-severity buffer overflow flaw impacting “ssport.sys” and made use of in HP, Xerox, and Samsung printers that was identified to have remained undetected given that 2005.